Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1480
Views
3
Helpful
13
Replies

SDA for Wireless Design

Go to solution
fatalXerror
Level 5
Level 5

‎07-11-2023 01:32 AM

Hi Guys,

I am new in SDA solutions, I would like to ask the following,

1. Where should I connect the non-fabric devices like firewall, WLC, etc.? Directly to the BN node?

2. Typically, how many BN and CP nodes should I deploy, two for redundancy?

3. How to connect my firewall if I want that the gateway of my networks are in the firewall?

4. Can my ISE and DNAC be in the DC instead of the office campus where the SDA fabric are formed?

5. Is the foreign-anchor wireless design still applicable in SDA for guest access?

Thank you so much.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-12-2023 04:01 AM

I dont see the need for a dedicated BN.

The BN would be the gateway

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Flavio Miranda
VIP
VIP

‎07-11-2023 03:41 AM

Hi @fatalXerror 

"I am new in SDA solutions, I would like to ask the following,"

 SDA is pretty new so I believe everyone around here is also learning. I had the opportunity to deploy and I will try to help with what I know. This is a very interesting topic.

 

"1. Where should I connect the non-fabric devices like firewall, WLC, etc.? Directly to the BN node?"

 Non-Fabric device is connected to the Border Nodes.  Although WLC is a Fabric device(depending the model and version). If you take a look on the CVD for SD-A, this will be there:

"Border Node

The fabric border nodes serve as the gateway between the SD-Access fabric site and the networks external to the fabric. The border node is responsible for network virtualization interworking and SGT propagation from the fabric to the rest of the network."

 

2. Typically, how many BN and CP nodes should I deploy, two for redundancy?

I dont believe there will be a magic number. It will depend on the size of the network.  But a typical CVD SDA design diagram shows two BN for redundancy

FlavioMiranda_0-1689071326051.jpeg

 

 

3. How to connect my firewall if I want that the gateway of my networks are in the firewall?

The gateway for the Fabric will be a device that is part of the Fabric. On this case, it can not be the firewall.

4. Can my ISE and DNAC be in the DC instead of the office campus where the SDA fabric are formed?

I would say this is actually the normal deployment.  ISE and DNAC is more common find in the Data Center and the fabric switches spread across the campus. What DNAC and ISE requires is basic connectivity.

5. Is the foreign-anchor wireless design still applicable in SDA for guest access?

According to the Cisco doc "SD-Access Wireless Design and Deployment Guide" it is not needed.

• Simplified guest and mobility tunneling: An anchor wireless controller (WLC) is no longer needed; guest traffic can go directly to the network edge (DMZ) without hopping through a foreign controller.

For your reference

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html

 

Preview file
6194 KB
Preview file
9920 KB

Go to solution
fatalXerror
Level 5
Level 5
In response to Flavio Miranda

‎07-11-2023 07:52 AM

Hi @Flavio Miranda , thank you for your reply, appreciate the help. 

I have some additional questions,

1. I believed migrating to SDA from traditional network is not one-shot migration. In my case, all of my VLANs' gateway in my traditional network is in the firewall it is connected to a core switch, as part of the migration phase, can I connect my Border Node (BN) to the core switch via L2 link so that per VLAN migration for example wireless network VLAN to be migrated to SDA but the gateway will still be in the firewall traversing the packet via L2 link?

2. Will SGT tags be dropped once it come out of the Border Node? What will be the solution so that SGT tags will not be dropped when traversing over IP WAN (MPLS)?

3. Instead of SGT as a way of ISE enforcement, can I use VLAN instead?

4. Should the server farm network be part of the SDA fabric?

Thank you

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-11-2023 08:18 AM

"1. I believed migrating to SDA from traditional network is not one-shot migration. In my case, all of my VLANs' gateway in my traditional network is in the firewall it is connected to a core switch, as part of the migration phase, can I connect my Border Node (BN) to the core switch via L2 link so that per VLAN migration for example wireless network VLAN to be migrated to SDA but the gateway will still be in the firewall traversing the packet via L2 link?"

 Migration strategy is surelly the key moment to deploy SDA.  I am afraid that it will not work this way but this is something that worth to be stressed up to the limit.

Install you BN  side by side to the Core and extend layer2 link and maybe migratiing your access switch to the Border Node keeping the layer3 where it is today is one possibility.

 

2. Will SGT tags be dropped once it come out of the Border Node? What will be the solution so that SGT tags will not be dropped when traversing over IP WAN (MPLS)?

  The SGT is enforced by ISE to the Access Switch and it is sent to the switch on the TrustSec matrix.  This is  something that will be on the switch (ACL) and not flying around the MPLS link.

The logic is:  You create the SGT Map on the DNAC. DNAC update the ISE via PXGRID and the ISE enforce the TrustSec matrix to the switch via Radius authentication.

 

3. Instead of SGT as a way of ISE enforcement, can I use VLAN instead?

   You will use VLAN anyway. I dont believe SGT is a requirement but I might say it is a huge improvement on the security.

4. Should the server farm network be part of the SDA fabric?

  I believe it is up to the environment.  I see SDA more close to access switches and end point devices but I dont believe it must be limited to that.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Flavio Miranda

‎07-11-2023 09:01 AM

Hi @Flavio Miranda , thanks again for the help.

Apologies, I just want to change the statement about the migration strategy. Between the legacy network (core switch) and the SDA network (BN), there will be another node dedicated for the L2 Handoff. With this L2 Handoff, can I migrate a per VLAN basis while maintaining the VLAN gateway in my legacy network? Thank you

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-11-2023 09:13 AM

@fatalXerror 

 I dont believe you can keep the layer 3 elsewhere. As soon as you apply the templace from DNAC to build up the fabric, you can not have the gateway outside the fabric.

 Thats my understand.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Flavio Miranda

‎07-11-2023 08:04 PM

Hi @Flavio Miranda , I see, the reason why I need the L3 to be still in the traditional network is because my core device where the gateways are is a firewall.

Any other suggestion for me to be able to integrate the two networks? thank you so much and I really appreciate the help.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-12-2023 02:22 AM

@fatalXerror  I believe the direction you need to take is "Fusion Firewall".  This thread below will be very helpful for you:

https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-firewall-design/td-p/4517283

Alternatively, you can also read this document I am attaching.

'Firewall Deployments'

 

Preview file
6194 KB
0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Flavio Miranda

‎07-12-2023 02:52 AM

Hi @Flavio Miranda , thanks for the update. Actually, I just thought that I will be using a different subnet for the new VN wireless in my SDA so I am now thinking if I just connect my BN to the existing firewall in the traditional network so in that case, it can still control and inspect traffic from new VN wireless to dc, internet, and to internal server zones. Will this work?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-12-2023 03:03 AM

On this case you are simply connecting a fabric to a non-fabric device using the BN.  It will works.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Flavio Miranda

‎07-12-2023 03:28 AM

Hi @Flavio Miranda , so no need for a dedicated L3BN right? I can just use the BN directly connecting to the firewall via L3. In this case, may I know who will be the gateway of the new wireless VN? Will it be the BN or the EN?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to fatalXerror

‎07-12-2023 04:01 AM

I dont see the need for a dedicated BN.

The BN would be the gateway

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to fatalXerror

‎07-28-2023 03:12 AM

if u r looking for keeping FW as default GW for the VNs population u only can use L2-handoff BN (recommended to be dedicated BN).

But Cisco recommends to use anycast default GW on FEs & use FW as FN.  i'm currently on the project with hybrid need (part of VLANs with default GW on the FW with part of VLANs with default GW on FEs). & there were a lot of architectural struggles to bring default GWs to FEs in the 1st case. Unfortunately regulation rules along with historical architectural weaknesses mandated to use dedicated L2-handoff BN for the 1st part.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card